The service, which counts organisations such as Apple, DuckDuckGo, Mozilla and Nasa among its customers, was targeted through two vulnerabilities, CVE-2020-11651 and CVE-2020-11652, that were first discovered by F-Secure researchers and revealed in a co-ordinated disclosure on 30 April 2020.

The vulnerabilities, which carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible, enable hackers to gain remote code execution capabilities on Salt master repositories. This could allow them to install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies.

F-Secure principal consultant Olle Segerdahl, who uncovered the vulnerabilities, warned that due to their easy-to-exploit nature, Salt users who did not patch their systems by Friday 1 May risked being compromised over the weekend, and indeed, active exploits were seen within 72 hours targeting geographically-dispersed honeypots.

In Ghost’s case, the organisation first reported a service outage affecting its Ghost(Pro) sites and Ghost.org billing services in at approximately 3:20 am BST on the morning of Sunday 3 May.

A subsequent investigation found that attackers had gained access to its system and attempted to use it to mine cryptocurrency. This caused central processing unit (CPU) spikes and overloaded Ghosts’s systems, causing the outage.

Ghost said it had been able to verify that no credit card information, credentials or other data relating to its customers had been affected.

Read more about SaltStack

SaltStack, like other infrastructure-as-code tools, must reinvent itself as cloud-native IT automation approaches such as containers, serverless and Kubernetes Operators grow.

SaltStack's one-to-many communication model enables it to manage configurations in massive IT deployments without network strain. To get the most out of SaltStack, understand ZeroMQ.

It has now introduced multiple new firewalls and additional security precautions, which have caused some instability on its network and impacted some customers.

“All traces of the cryptomining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,” said Ghost in a statement on its website, correct as of 9:30am on 4 May.

“The team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident and publishing a public post-mortem later this week.”

Tim Mackey, principal security strategist at Synopsys’ Cybersecurity Research Centre, said: “Datacentre patch strategies need to take into account not only the applications deployed, but also the underlying infrastructure and any firmware used within all devices powering businesses.

“In the case of this attack, the attackers were reportedly interested in running cryptomining software. Since attackers define the rules in any cyber attack, it’s important for anyone running an unpatched SaltStack instance to recognize that a different malicious team or environment might could easily result in a different type of compromise.”

Martin Jartelius, chief security officer at Outpost24, added: ”Be grateful this was abused for simple monetary gain and nothing sophisticated, which it could equally well have been.”

Separately, open source Android distribution LineageOS revealed it was also targeted by cyber criminals exploiting the Salt vulnerabilities. Its systems were taken offline at roughly the same time as Ghost’s.

Content Continues Below

Download this free guide

Getting Cloud Security Right

Let's face it, cloud security can be done very wrong. Let's learn to do it right.
Regular Computer Weekly contributor Peter Ray Allison explores this issue, weighing up the questions organisations should be asking of their cloud service providers, and whose responsibility cloud security should be.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.